A.P. Lawrence

VPN's and other remote access

A VPN is a Virtual Private Network. The concept is that you are using public or other shared lines (generally the Internet) to connect machines, but that all packets are encrypted (so your connections are "private").

You should understand first that you do not necessarily need a VPN if you want remote clients to connect to your Linux or Unix server. You don't even necessarily need this if your concern is encryption for security. There are other ways to do these things and I'll talk about them also; the advantage of a VPN is convenience.

If you have private lines, there's really no point to a VPN. Which one is "better"? That depends on many things. If "faster" is your concern, then a VPN can be fast if you have fast Internet access at both ends of the connection, but if you don't, then it won't be fast and you might be better off with private or dial-up lines.

With an active VPN, the remote client machine acts very much exactly as it would act if it were physically connected to your office network. This is true even if your internal network is made up of non-routable, private addresses (see Networking 101). For example, if your internal pop mail server is at 192.168.2.5 and your application is at 192.168.2.3, the remote client still accesses those addresses, just as everyone in the physical office does.

What happens is that the person at home first connects to the Internet, using their modem, DSL, or whatever. At your office you have a VPN server sitting at a real ip address on the Internet. You have VPN software running on the client machine, so when they attempt to connect to an address that the VPN software recognizes as belonging to it (which is probably one of the internal addresses, such as 192.168.2.3), it routes packets to the real IP address and in turn the VPN server there passes them to the internal address. It's all transparent to the clients: everything looks to them as though they have a physical connection to your internal network: if they would "telnet 10.1.36.3" in the building, that's just what they'd do from home.

Exactly the same thing can be done with a direct modem to modem ( or other dedicated connection) from the client to your office. Ordinary TCP/IP over dial up PPP just requires an inbound PPP connection. The clients use DUN to acccess a modem at your location, nothing to do with the Internet. Again, their perception of addressing doesn't change, though of course there is no encryption. Once the remote client has made the ppp connection, it can access ip addresses within the internal network (assuming, of course that proper routing is in place, etc.).

People sometimes find this confusing, but think of the Internet as one giant private network and your local connection as a smaller version. Once you are appropriately connected to either one, you have access to that network, not just the machine you made the PPP connection to. In fact, just as with the Internet, you may have no intention of accessing that connection machine at all- it just is there to let you get a connection so that you can access other resources. There's probably no need for encryption over such a connection, though you may want to use dial-back modems.

If you have a real ip address on the Internet, you can also do something similar using ssh. This is not really a VPN, it's just encryption of packets. The difference is that your clients connect to that known, public IP address, not to the internal addresses you could use with a true VPN. However, this requires much less work to set up, and of course once they connect to that address you can automagically send them along to where you really want them. For example, you can modify their .profile on the ssh server so that they immediately ssh or rsh to their same account on another server. Again, though, their software has to use real, public ip addresses and you have to do whatever is necessary to redirect the packets within the office. Further, although ssh can set up tunnels for ftp or other access, none of it happens automatically: your remote clients will either need to be somewhat technical or you will have to do a lot of scripting or programming on their machines.

Some VPN solutions include proprietary ones like Cisco and completely free Linux implementations like PopTop ( http://poptop.lineo.com/ ). The proprietary packages generally require their own clients to be installed on the Windows machines, PopTop uses the built in Windows VPN client that Microsoft expected you to use with their NT VPN server. If you don't want Cisco, but aren't up to doing PopTop by yourself, there is some middle ground: folks like E-Smith provide a packaged PopTop and NetMax ( http://www.netmax.com ) has a Linux based IPSEC VPN that can be used with their Windows client or with other IPSEC clients.

I've been selling the E-Smith for a few months now; I've used it for both VPN and ssh style connections and am at least so far pretty happy with it. However, I also have clients with Cisco VPN's and other remote access and other stuff. My problem is that the client side software sometimes doesn't play well with other clients, so if I have to access them through the VPN I'd rather they didn't use proprietary clients.

One particular disadvantage (or advantage, depending on your viewpoint) of proprietary clients like the Cisco product is that they are memory resident. The Windows VPN client is not; you have to specifically make the VPN connection before attempting access to the remote network. Memory resident clients are good for situations where the client is always remote (never actually comes into the office) and where the connection is to one VPN server. When you have multiple possible connections (as I do with my clients) the Windows VPN client is much easier- you are specifically choosing what VPN server to connect to. In the case where the normally remote client brings their laptop to the office and physically connects to the network, the VPN software has to be unloaded, because it will try to route what are now local accesses through the VPN; this just won't work. It's usually easy enough to disable (with Cisco, for example, you just choose "unload Security policy") but people forget.

For more VPN information, see www.vpnlabs.com

Publish your articles, comments, book reviews or opinions here!

Comments /Linux/vpn.html


Add your comments

Why no "Digg this!" etc.?

Unix and Linux Support

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Forget the expense of flying to New England. Forget hotel and meals costs.
Installation and light training Boston and New England

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here